Feature Request: support multiple webroots

I have an A/B server setup, where one is active and one is inactive. On deployment the inactive one is shutdown, updated, and brought back up. Then once we verify its working properly, we switch to that server. Because of this, I have two separate directories that contain the public files at different times.

I had the issue where my cert wasn’t updated properly and I got an email about it. Turns out my letsencrypt conf file was set to the inactive server, so it wasn’t writing in the proper place to be able to verify my ownership.

Creating a sym-link to .well-known/acme-challenge would be a pain to implement because updating the server blows away the entire directory and reinstalls and I don’t have any good place in the installer to put in that symlink.

What would solve this for me would be if I could include multiple webroots and have certbot-auto write whatever file it needs to in both/all places so that it can be sure the challenge file will be accessible no matter which server is active at the moment.

Hi @fresheneesz, I guess what you're looking for in this feature request is the ability for the webroots to be on different servers, not just different directories on the same server, right?

There have been several discussions on this forum in the past where people found various ways to do this using Certbot and other clients. One that I particularly liked was

Maybe that will help; if not, maybe you can look around the forum a little bit to see if you can find others that might be more relevant to your situation. But if I've understood you correctly, it's definitely something that people have already found solutions for using existing tools.

Looking again at what you wrote, it looks like you not only want the webroots not only to be on multiple servers but want the challenge files to be written in multiple places. That might require some additional scripting.

@serverco, is there a straightforward way to do this in GetSSL right now?

It seems like it would be easiest to have a folder for the challenge that’s symlinked into both webroots. I assume both servers run as the same user, so identical permissions are OK.

Example, using a hypothetical /var/lechallenge folder:
ln -s /var/lechallenge/.well-known /var/www/site1/.well-known
ln -s /var/lechallenge/.well-known /var/www/site2/.well-known
certbot … -w /var/lechallenge

This should work no matter which server is currently running, since they both see the challenge.

@schoen Actually, all I care about is the ability for challenge files to be writen to multiple webroot directories on the same server. But extending that to multiple servers would be nice, I just don’t need that right now.

@SilverbackNet “it would be easiest to have a folder for the challenge that’s symlinked into both webroots”

I ended up doing that a few days ago to solve my problem. It wasn’t as painful as I expected. This doesn’t solve the multiple server issue that schoen brought up tho - not that that’s a problem for me at the moment.

Schoen, that technique you linked is really interesting. I would think, tho, that it wouldn’t be possible to combine the symlink technique with that sshfs technique to write the same challenge file to multiple servers, right? In which case, it would certainly be ideal if certbot supported writing a challenge file in multiple locations so that at least the sshfs technique could be used.

Seemingly not. If you're on Linux, there's a tool called inotifywait that you can try to use for this purpose, in conjunction with your own scripts to synchronize across servers. inotifywait can be used to make scripts that run a command when files are created or deleted in specific directories, which you could use, for example, in conjunction with rsync to immediately attempt to synchronize those directories with other services. There are several pitfalls in this idea: it's probably more correct to watch for CLOSE events rather than CREATE events (to avoid trying to synchronize a file while it's still being written), and this approach might create a race condition (where Certbot believes that a challenge is ready to be tested, even though in fact the challenge files are still in the process of being synchronized via rsync to the other server).

GetSSL may also be able to handle this in a more correct way overall.

1 Like

Yes, GetSSL should be able to do this currently ( Thanks @schoen )

The only potential issue I can see ( and I’m not sure if it’s or not from my understanding of the above ) is that GetSSL would give an error if any of the locations were not available ( i.e. if the inactive one were shutdown at the time you were trying to copy a file to it). I’m happy to put in a bug fix for that though as an option.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.